Multiple Set-Cookie headers merged incorrectly

Question

Multiple Set-Cookie headers merged incorrectly

Closed this issue 3 years ago · 3 comments

what i got from POSTMAN

Set-Cookie: test!
Set-Cookie: PHPSESSID=8536fl1c5igh89aqsjuf3l40jm; path=/
Set-Cookie: TestCookie=%3A%202595; expires=Thu, 01-Jul-2021 07:56:03 GMT; Max-Age=3600

what i got from pycurl-requests (resp.headers.get("Set-Cookie", None))

Set-Cookie: test!, PHPSESSID=8536fl1c5igh89aqsjuf3l40jm; path=/, TestCookie=%3A%202595; expires=Thu, 01-Jul-2021 07:56:03 GMT; Max-Age=3600

this behaviour does not confirm to rfc.

Answer 1 · 2021-07-01T07:22:15.000Z

Note this is not a problem of cookie support.

Answer 2 · 2021-07-01T21:45:26.000Z

Hi, Thank you for your bug report.

I tried reproducing this behaviour in Requests:

>>> import requests
>>> r = requests.get('https://httpbin.org/cookies/set?foo=x&bar=y', allow_redirects=False)
>>> print(r.headers.get("Set-Cookie", None))
foo=x; Path=/, bar=y; Path=/

>>> import pycurl_requests as requests
>>> r = requests.get('https://httpbin.org/cookies/set?foo=x&bar=y', allow_redirects=False)
>>> print(r.headers.get("Set-Cookie", None))
foo=x; Path=/

There's a bug in build_response where only the first key is extracted from the HTTPMessage object. Instead these values should be joined with , as defined by RFC-7230 section 3.3.2:

A recipient MAY combine multiple header fields with the same field
name into one "field-name: field-value" pair, without changing the
semantics of the message, by appending each subsequent field value to
the combined field value in order, separated by a comma. The order
in which header fields with the same field name are received is
therefore significant to the interpretation of the combined field
value; a proxy MUST NOT change the order of these field values when
forwarding a message.

However, Set-Cookie is special:

Note: In practice, the "Set-Cookie" header field ([RFC6265]) often
appears multiple times in a response message and does not use the
list syntax, violating the above requirements on multiple header
fields with the same name. Since it cannot be combined into a
single field-value, recipients ought to handle "Set-Cookie" as a
special case while processing header fields. (See Appendix A.2.3
of [Kri2001] for details.)

(This is an important reason for adding dedicated cookie support)

However, for accessing Set-Cookie via the headers attribute, I'm likely to imitate Request's behaviour and just use a , to join the headers.

Answer 3 · 2021-07-02T19:43:14.000Z

Fix released in pycurl-requests-0.2.1.